Track Traffic in Second Subnet Using DMZ

Hi, Dean, and welcome to the UTM Community!

I suspect that the best would be to disconnect the other device and connect the other subnet to your DMZ port directly.  In fact, the number of things you would need to check and adjust for in moving the other firewall behind the UTM is probably the same as getting rid of it altogether.  Here are just a few:

• Is the other device being used as a remote access server?
• Are there any port forwards (DNATs) in place?
• Is it connected via IPsec VPN to another site?
• Can you just bridge the device instead of having it be a router that creates double-NAT for the subnet?

"My understanding is that IP Addresses in the DMZ LAN are exposed to the WAN" - that seems unlikely unless there is massive port forewarding.

Another issue to examine is whether your UTM 120 has enough oomph to handle the additional subnet.  In any case, you will want to upgrade to the new SG series (simply backup the configuration from your 120 and restore it to your new SG) instead of renewing your subscription for the 120 which is End-of-Life on 6/30/2018.  Consult your reseller for a recommendation of 115, 125 or 135.

Cheers - Bob

Bob,

I am glad I asked before rearranging cables.  The second firewall is doing nothing but NAT.  It has a very basic configuration and rules.  No port forwarding or VPNs.  The UTM firewall also does NAT, has a few rules and simple VPN accesses.  I have implemented QoS on it to control video streaming but the second firewall can't do that.  Both subnets have their own Windows servers which do DHCP, Local DNS, Active Directory, print serving, wifi access point management, etc.  The 110 is not stressed, CPU use runs about 10% with an occasional blip to 40%, memory use is flat at about 30%.  Being a church there is never money to replace things that are working and it is only in its fourth year - maybe early 2018.

You made the critical comment about removing the second firewall.  I would like to do that as long as I can preserve the two subnets and their associated servers.  We have a lot of static IP Addresses and I want to avoid having to manually change them.  So now I will start researching how to manage two subnets with one UTM firewall.

Thanks for the quick response,

Dean

A 110?  We've never sold one of those.  I know that the licensing once limited the number of protected IPs to 10, but your license is probably new enough that there are different limitations.  You should check with your reseller about whether it makes sense to migrate the other subnet before you replace the device.

Cheers - Bob

I mistyped, it is an ASG120, which is still quite old.

That's positive, Dean.  Please insert a screen capture of the weekly CPU and Memory Usage graphs.  Also, on the Dashboard what do you see for Model?

Cheers - Bob

You're positioned to move the other subnet onto the UTM with no problems.  Just define an interface for the Ethernet port labeled "DMZ" and give it the same subnetting as the current firewall.  You'll want to duplicate the masquerading for them.

In the Firewall rules, where there's "Any" in the Destination, change that to "Internet" and add the "(Network)" object for the new subnet to the Source.

If you can get the MAC address from the other firewall, go to the 'Hardware' tab in 'Interfaces' and set the Virtual MAC to that.  This means you'll be able to just pull the Ethernet cable out of the back of the old firewall and plug it into the DMZ port without having to reset the switch at the other end of the cable.

Cheers - Bob

Bob,

I have a few more questions.

I believe the DMZ interface can be assigned any available internal IP Address, or even use DHCP from the server?

Do you mean give this interface an IP Address and the subnet of the second firewall (192.168.0.xxx) rather than that of the Sophos firewall (192.168.25.xxx)?

My interpretation is that I could clone every firewall rule for WAN to the first subnet LAN and change it the clone to point to the second subnet DMZ?

I think what you said is create an Internet object and assign the LAN and DMZ to it? (Rather than the rule clone.)

I have the MAC address of the WAN port of the second firewall.  The Sophos and second firewall WAN ports are configured to different external IP Addresses xxx.xxx.239.130 and xxx.xxx.239.134.  Will setting the Virtual MAC on the DMZ interface actually eliminate the need to change the WAN IP on the second firewall?

Sorry for being new to Sophos,

Dean

"I believe the DMZ interface can be assigned any available internal IP Address, or even use DHCP from the server?"

Since it's the default gateway for the other subnet, I bet the internal interface on the other router has a fixed IP, and you should use that.

"Do you mean give this interface an IP Address and the subnet of the second firewall (192.168.0.xxx) rather than that of the Sophos firewall (192.168.25.xxx)?"

Yes, that's important.  You don't want two Interfaces with overlapping subnets as that will cause WebAdmin to create incorrect routes.  The implication of this is that you also cannot have two separate interfaces connected into the same Ethernet segment.

"My interpretation is that I could clone every firewall rule for WAN to the first subnet LAN and change it the clone to point to the second subnet DMZ?"

I bet none of your firewall rules in either device has one of your 192.168.x.y subnets as a Destination.  The suggestion I made above about changing your existing firewall rules doesn't require cloning anything - just change the Destinations to "Internet" from "Any" and add the second subnet to the Sources.  You very well might not need to copy any of the rules in the other firewall.

"I think what you said is create an Internet object and assign the LAN and DMZ to it? (Rather than the rule clone.)"

There is an existing Network object named "Internet" that you should use.

"The Sophos and second firewall WAN ports are configured to different external IP Addresses xxx.xxx.239.130 and xxx.xxx.239.134.  Will setting the Virtual MAC on the DMZ interface actually eliminate the need to change the WAN IP on the second firewall?"

 I thought the second firewall was going away.  You will add the other public IP, from the other firewall, as an Additional Address on the "External" interface As I said above, setting the virtual MAC on the DMZ port will mean that you don't need to power-cycle anything internally for them to recognize a new MAC for the IP address.

"I have the MAC address of the WAN port of the second firewall."

Don't worry about that.  You will need to power-cycle the ISP's modem so that it picks up the new MAC of the Additional Address on the "External" interface.  Depending on your ISP, you may instead need to ask them to clear the ARP table in their last-hop router in front of you.

One last thing I failed to mention - instead of duplicating the "Internal (Network)" Masquerading rule, use the Additional Address you created above so that the traffic from the subnet on DMZ contiunes to access the Internet using the same public IP.

 Cheers - Bob

"I believe the DMZ interface can be assigned any available internal IP Address, or even use DHCP from the server?"

Since it's the default gateway for the other subnet, I bet the internal interface on the other router has a fixed IP, and you should use that.

"Do you mean give this interface an IP Address and the subnet of the second firewall (192.168.0.xxx) rather than that of the Sophos firewall (192.168.25.xxx)?"

Yes, that's important.  You don't want two Interfaces with overlapping subnets as that will cause WebAdmin to create incorrect routes.  The implication of this is that you also cannot have two separate interfaces connected into the same Ethernet segment.

"My interpretation is that I could clone every firewall rule for WAN to the first subnet LAN and change it the clone to point to the second subnet DMZ?"

I bet none of your firewall rules in either device has one of your 192.168.x.y subnets as a Destination.  The suggestion I made above about changing your existing firewall rules doesn't require cloning anything - just change the Destinations to "Internet" from "Any" and add the second subnet to the Sources.  You very well might not need to copy any of the rules in the other firewall.

"I think what you said is create an Internet object and assign the LAN and DMZ to it? (Rather than the rule clone.)"

There is an existing Network object named "Internet" that you should use.

"The Sophos and second firewall WAN ports are configured to different external IP Addresses xxx.xxx.239.130 and xxx.xxx.239.134.  Will setting the Virtual MAC on the DMZ interface actually eliminate the need to change the WAN IP on the second firewall?"

 I thought the second firewall was going away.  You will add the other public IP, from the other firewall, as an Additional Address on the "External" interface As I said above, setting the virtual MAC on the DMZ port will mean that you don't need to power-cycle anything internally for them to recognize a new MAC for the IP address.

"I have the MAC address of the WAN port of the second firewall."

Don't worry about that.  You will need to power-cycle the ISP's modem so that it picks up the new MAC of the Additional Address on the "External" interface.  Depending on your ISP, you may instead need to ask them to clear the ARP table in their last-hop router in front of you.

One last thing I failed to mention - instead of duplicating the "Internal (Network)" Masquerading rule, use the Additional Address you created above so that the traffic from the subnet on DMZ contiunes to access the Internet using the same public IP.

 Cheers - Bob